Explain Cryptography as I’m 5
Any secure web application that’s hosted on the internet if it wants to gain trust of the (end user/Client/Browser/Another application) needs to achieve 3 important things i.e., Confidentiality, Integrity, Authenticity (CIA). These 3 concepts form the foundation for any communication that happens between a web application and its clients.
1. Confidentiality:
As the name suggests confidentiality deals with keeping the information that’s being exchanged by the client and the server(application), hidden from other malicious actors in the network. This is important because network packets that are transferred over the network can be intercepted by some attacker and view what information is being exchanged between the Client and the Server.
Example: Let us consider a scenario where we login to our Facebook account. We don’t want some attacker to sniff the data and get the account credentials.
For this reason its crucial to encrypt the communication between the 2 parties while exchanging information. There are several was we can encrypt the information on the sender side and decrypt the encrypted message to get back the original information. To learn more about this concept, I highly recommend to check out this article.
2. Integrity
So, we have the information confidential now using some encryption technique(algorithm) and now what’s the problem? By Confidentiality we are making sure no one can read our data(more technically speaking we are ensuring even if someone manages to read the data, they wouldn’t be able to understand what’s going on since the messages are encrypted). If you think about it we still have other problems to take care after. The question is “What if the attacker changes the data during the information exchange?”.
The picture shows a Perpetrator who acts as a middle men and tries to change data that’s being sent by User. Now, that’s where the concept of Integrity arises. Integrity deals with preventing the data from being modified. It ensures that the data in the information exchange is not tampered by some malicious attacker. To learn more about this concept, I highly recommend to check out this article.
3. Authenticity
Now that we solved the problem of confidentiality & integrity, what other problems are left out you ask? We are still missing 1 important piece of the puzzle. Who sent this data? Am I talking to the right server or is this some attacker trying to mimic a server to which I want to exchange information with? This is dealt by Authenticity. Authenticity verifies that the actor i.e., either Sender/Receiver (applies to both roles) is who they say they are.
Example: Some malicious actor can pretend to be a web server (i.e., bank application for example) and get user’s personal details and credentials.
To learn more about this concept, I highly recommend checking out this article.
Any sensitive information exchange that’s done on the web has to have these 3 problems addressed. HTTPS protocol solves these 3 problems behind the scenes using SSL/TLS. To learn more about it, I highly recommend checking out this article which explains how HTTPS works under the hood.
